Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/21/2010
05:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Choosing The Right Firewall For Your Small Business

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.

After the last post, Four Must-Have SMB Security Tools, readers had a lot of questions about selecting the right firewall for an SMB. Although I've answered each of those emails, those questions are a great segue to this topic: choosing the right firewall for your SMB.If you're not sure where to start, there are some key questions you should think about and have ready for discussion with your potential firewall vendor or integrator. Keep in mind, each environment is unique, and a quality integrator might have additional questions for you. Having been on the other end of the stick for many years, I encourage you to actively engage in any discussions a vendor initiates and answer any questions he or she has. The "please just quote me on XYZ" attitude can leave you with a product that might not meet all your needs. Take the time, do it the right way, and I can almost guarantee you'll be pleased with the results.

Bandwidth sizing One of the first considerations for a firewall or any device that sits at the WAN is the throughput. You'll need to know your current WAN bandwidth from your provider as well as any burstable limits. For example, you may have a 10mbps link with the capability to burst to 25mbps. Couple that information with any data you have on current usage and then identify potential bandwidth growths in the coming years. You should plan enough room for growth for however long you plan to have that box in place. Look at the stateful throughput and maximum connection numbers on firewalls you're considering. These numbers will help filter out a bulk of products and models from your potential list and narrow your field to two - three models per vendor.

Layered security The next key question will be whether you plan to add additional gateway security services to your firewall or unified threat management (UTM). Personally, I suggest doing so whenever possible. Most UTMs license security features per box instead of per user, so it's a great way to add a layer of security for a nominal fee. Common gateway security services are antivirus, anti-spyware, and IDS/IPS. Here's the important part: If you're adding gateway security to your firewall, it will affect the performance. Don't worry; that's not a bad thing unless you started with too small of a box. Revisit the first question and weed out any boxes that can't handle security services with the bandwidth you need. Remember to consider your future needs and size appropriately. Look at the UTM throughput numbers for products you're considering. At this point you'll have just one -- two models per vendor to consider.

Remote connections Here's where we get into considerations a lot of people overlook. Check out your current firewall configuration very carefully, and make sure you can identify all the functions it's currently performing. Of specific note are remote connections, including site-to-site VPNs and remote access VPNs for employees or partners. It's unlikely your VPN needs will dictate the size of the box, but you may need additional licenses, and in some cases, unique remote access needs require some unique products. If you're currently supporting remote access via IPsec VPN, you'll want to understand the impact firewall and VPN client software changes may have on your users. Sometimes it's more of a headache than you want, but proper planning can help mitigate the level of frustration.

Physical interfaces Although rarely an issue in smaller organizations, it's certainly advisable to be sure any firewalls you're considering support the appropriate physical connections you need. Most common are gigabit copper ports, but you may need a firewall that supports expansion or flex modules for SFP/fiber, T1, or ADSL connections.

Advanced features If your organization has some specific issues or needs to address, be sure and discuss those with your integrator or vendor. In certain product lines, many vendors offer advanced features that may be of interest to you -- such as layer 7 application firewalls to address peer-to-peer traffic and bandwidth-hogging applications. Others offer content filtering as an add-on or as part of a security bundle. Again, these add-ons can be much more cost-effective on a firewall since they're usually licensed per box and not per user; content filtering is a great example of that. You may need advanced archiving or logging options for your compliance needs. Other advanced features that may determine your firewall selection include single sign-on functions, options for redundancy and high availability, and dynamic routing protocols supported. For example, if you plan to use BGP for a private MetroE network, your options will be different than those for OSPF or RIP.

These are just a few of the considerations when selecting a firewall for an SMB. If you're in the market for a new firewall, think it through and dedicate the appropriate amount of time to selecting the right product for you. Replacing firewalls is not a task to take lightly and it's definitely not something you want to do more often than is absolutely necessary.

Jennifer Jabbusch is a CISO and infrastructure security specialist at Carolina Advanced Digital. By day she architects enterprise security solutions and by night, well, she does the same thing. For Dark Reading, she melds her enterprise experience and intimate knowledge of small business operations to deliver relevant security guidance for SMBs everywhere. Jennifer Minella is VP of Engineering and consulting CISO at Carolina Advanced Digital, and an author, speaker and consultant for infrastructure security for government, education and Fortune 100 and 500 corporations. View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.